Article 66 GDPR: Difference between revisions

From GDPRhub
(style consistency)
Line 200: Line 200:


== Commentary ==
== Commentary ==
Article 66 GDPR provides for an exception to the cooperation mechanism. Under certain conditions, mostly related to reasons of urgency and the need to protect the rights of the data subject, the SA is given the possibility to adopt provisional measures valid on its territory. The same article also provides some specific rules for the intervention of the EDPB and the timing of its decision.


=== (1) Adoption of Provisional Measures ===
=== (1) Adoption of Provisional Measures ===
On the condition that the three strict requirements mentioned in Article 66(1) are met (exceptional circumstances, urgent need to act and protection of the rights and freedoms of data subjects), a supervisory authority ('SA') can adopt a measure which is limited to its territory and the duration of which cannot be longer than 3 months.<ref>See e.g., Guarante, 22 January 2021, TikTok, Case 9524194 (available [https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9524194 here]).</ref> Such a SA can of course be a concerned SA (SA), but also the lead supervisory authority (LSA), if the latest considers that the measure should be adopted urgently without going through the cooperation mechanism.
In exceptional circumstances, where a supervisory authority concerned (Article 4(22) GDPR) considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism (Articles 60, 63, 64 and 65 GDPR) immediately adopt provisional measures intended to produce legal effects on its own territory. Article 66 creates strict conditions for cross-border cases when a DPA wishes to act on its own without consulting the other DPAs concerned. Three conditions must be fulfilled in this regard, namely (1) exceptional circumstances, (2) an urgent need to act and (3) the need for protection of the rights and freedoms of data subjects.<ref>CJEU, C-645/19, 15 June 2021, Facebook Ireland, margin number 59 (available [https://curia.europa.eu/juris/liste.jsf?num=C-645/19 here]).</ref> The latter is fulfilled if a concrete and immediate damage or disadvantage is to be expected.<ref>''Georgieva'' in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 1030 (Oxford University Press 2020).</ref> In such cases, a supervisory authority ('SA')<ref>Such a SA can of course be a concerned SA (SA), but also the lead supervisory authority (LSA), if the latest considers that the measure should be adopted urgently without going through the cooperation mechanism.</ref> can adopt a measure which is limited to its territory and the duration of which cannot be longer than 3 months.<ref>See e.g., Garante, 22 January 2021, TikTok, Case 9524194 (available [https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/docweb/9524194 here]).</ref> This decision must be motivated and communicated to the Commission and the EDPB and to the “''other SAs concerned''”.<ref>''Georgieva'' correctly points out that "[h]''owever, the urgent measure can only be addressed when its addressee has either an establishment or a representative in the territory of the DPA concerned. This means that the provision does not apply if the DPA is 'concerned' by the processing of personal data under Article 4(22)(6) or (c) (i.e. when data subjects are substantially affected or a complaint has been lodged with that DPA) but there is no one on its territory against whom the measures can be addressed''". See, ''Georgieva'' in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 1030 (Oxford University Press 2020).</ref>
 
This decision should be communicated to the Commission and the EDPB, but also to the “other SAs concerned”, together with the reasons for adopting such measures.
 
However, the provision does not say to who the decision should be addressed if there is no establishment or representative of the controller on the territory of the SA where the measure is imposed.
 
The GDPR foresees two cases where the urgency is presumed to be met, namely when an SA does not answer within one month to a request for mutual assistance (Article 61(8) GDPR) or to a request of joint operations (Article 62(7) GDPR).
 
Situations in which the urgency of the measures is presumed may cover, for example, cases where an SAC is potentially faced with persistent inertia from the LSA in charge.<ref>Opinion of the Advocate General Bobek on Case C-645/19, margin number 135 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62019CC0645 here]).</ref>
 
Article 66 is one of the exceptions to the cooperation (“one-stop-shop”) mechanism under Article 56 and 60 GDPR and should be used, as stated by the first part of this provision, “in exceptional circumstances”.<ref>CJEU, 15 June 2021, Facebook Ireland, C-645/19, margin number 59 (available [https://curia.europa.eu/juris/liste.jsf?num=C-645/19 here]).</ref>  


==== Presumption of Urgency ====
The GDPR foresees two cases where the urgency requirement is presumed, namely when an SA does not answer within one month to a request for mutual assistance (Article 61(8) GDPR) or to a request of joint operations (Article 62(7) GDPR). <ref>Situations in which the urgency of the measures is presumed may cover, for example, cases where an SAC is potentially faced with persistent inertia from the LSA in charge. Opinion of the Advocate General Bobek on Case C-645/19, margin number 135 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62019CC0645 here]).</ref> On 12 July 2021, the EDPB adopted an urgent binding decision under Article 66 GDPR, at the request of the Hamburg SA which adopted provisional measures under Article 66(1) GDPR, based on its consideration that the circumstances were exceptional and there was an urgent need to act to protect the rights and freedoms of data subjects.<ref>EDPB, 12 July 2021, Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from the Hamburg (German) Supervisory Authority for ordering the adoption of final measures regarding Facebook Ireland Limited (available [https://edpb.europa.eu/system/files/2021-07/edpb_urgentbindingdecision_20210712_requesthh_fbireland_en.pdf here]). </ref> The Hamburg SA considered that the urgency requirement was presumed, as specifically stated by Article 61(8) GDPR. However, the Hamburg SA had made some specific requests through the IMI system by using, in particular, the VMA channel (Voluntary Mutual Assistance). According to the interpretation provided by the EDPB, "''Unlike formal [[Article 61 GDPR]] requests, the SA receiving a VMA request does not have a legal obligation to answer to that request''".<ref>EDPB, 12 July 2021, Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from the Hamburg (German) Supervisory Authority for ordering the adoption of final measures regarding Facebook Ireland Limited, margin number 177 (available [https://edpb.europa.eu/system/files/2021-07/edpb_urgentbindingdecision_20210712_requesthh_fbireland_en.pdf here]).</ref> Therefore, the EDPB considered that the urgency was not established considering that the Hamburg SA "''did not formally launch an [[Article 61 GDPR]] request in the IMI system to the LSA, but merely sent a letter replying to the VMA request flow initiated by the IE SA".'' Furthermore, the urgency needed to be demonstrated under Article 66(2) GDPR, which could not be done in the present case.<ref>EDPB, 12 July 2021, Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from the Hamburg (German) Supervisory Authority for ordering the adoption of final measures regarding Facebook Ireland Limited, margin numbers 180, 181, 196 (available [https://edpb.europa.eu/system/files/2021-07/edpb_urgentbindingdecision_20210712_requesthh_fbireland_en.pdf here]).</ref>
=== (2) Adoption of a Final Decision after Provisional Measures ===
=== (2) Adoption of a Final Decision after Provisional Measures ===
When the SA having adopted the provisional measure under Article 66(1) considers that a final decision should be adopted, it should refer the matter to the EDPB, which shall adopt an urgent opinion or urgent decision.
When the SA that has adopted the provisional measure under Article 66(1) GDPR considers that a final decision should be adopted, it should refer the matter to the EDPB, which shall adopt an urgent opinion or urgent decision. The reasons for asking such a final decision should obviously be substantiated by the requesting SA.<ref>It is not clear what kind of urgent opinion the SA could ask the EDPB to adopt: while one can understand that a decision implying a coercive measure can be adopted by a SA, it is not clear what kind of urgent opinion the EDPB could adopt, having a look in particular to the list of opinions under Article 64 GDPR.</ref> In the cases foreseen by Articles 61(8) and 62(7) GDPR, the reference to the EDPB is mandatory.<ref>See paragraph "''Presumption of Urgency''" above under Article 66(1) GDPR. </ref>  
 
The reasons for asking such an urgent opinion or decision should obviously be mentioned by the requesting SA.
 
It is not clear what kind of urgent opinion the SA could ask the EDPB to adopt: while one can understand that a decision implying a coercive measure can be adopted by a SA, it is not clear what kind of urgent opinion the EDPB could adopt, having a look in particular to the list of opinions that the EDPB should adopt under Article 64 GDPR.
 
Articles 61(8) and 62(7) make an explicit reference to the obligation to ask for an urgent decision from the EDPB where the deadline for mutual assistance or joint operation is not met.
 
On 12 July 2021, the EDPB adopted an urgent binding decision under Article 66 GDPR, at the request of the Hamburg SA which adopted provisional measures under Article 66(1) GDPR, based on its consideration that the circumstances were exceptional and there was an urgent need to act to protect the rights and freedoms of data subjects.<ref>EDPB, 12 July 2021, Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from the Hamburg (German) Supervisory Authority for ordering the adoption of final measures regarding Facebook Ireland Limited (available [https://edpb.europa.eu/system/files/2021-07/edpb_urgentbindingdecision_20210712_requesthh_fbireland_en.pdf here]). </ref>  
 
The Hamburg SA considered that the urgency requirement was presumed, as specifically stated by Article 61(8) GDPR. However, the Hamburg SA had made some specific requests through the IMI system by using, in particular, the VMA channel (Voluntary Mutual Assistance). According to the interpretation provided by the EDPB, "''Unlike formal [[Article 61 GDPR]] requests, the SA receiving a VMA request does not have a legal obligation to answer to that request''".<ref>EDPB, 12 July 2021, Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from the Hamburg (German) Supervisory Authority for ordering the adoption of final measures regarding Facebook Ireland Limited, margin number 177 (available [https://edpb.europa.eu/system/files/2021-07/edpb_urgentbindingdecision_20210712_requesthh_fbireland_en.pdf here]).</ref> Therefore, the EDPB considered that the urgency was not established considering that the Hamburg SA "''did not formally launch an [[Article 61 GDPR]] request in the IMI system to the LSA, but merely sent a letter replying to the VMA request flow initiated by the IE SA".'' Furthermore, the urgency needed to be demonstrated under Article 66(2) GDPR, which could not be done in the present case.<ref>EDPB, 12 July 2021, Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from the Hamburg (German) Supervisory Authority for ordering the adoption of final measures regarding Facebook Ireland Limited, margin numbers 180, 181, 196 (available [https://edpb.europa.eu/system/files/2021-07/edpb_urgentbindingdecision_20210712_requesthh_fbireland_en.pdf here]).</ref>
=== (3) Adoption of a Final Decision of the EDPB Without Provisional Measures ===
=== (3) Adoption of a Final Decision of the EDPB Without Provisional Measures ===
Besides the case where a SA is asking the EPDB to adopt a final decision after a provisional measure, Article 66(3) opens this possibility for any SA to request an urgent opinion or urgent binding decision, ''“where a competent authority has not taken any appropriate measure in a situation where there is an urgent need to act, in order to protect the rights and freedoms of data subjects”''.
The authority addressed under Article 66(1)-(2) is the "supervisory authority concerned" within the meaning of Article 4(22) GDPR. In contrast, Article 66(3) refers to "''any supervisory authority''" (Article 4(21) GDPR) and allow it to request an urgent opinion or an urgent binding decision, as the case may be, from the Board where a competent supervisory authority has not taken an appropriate measure in a situation where there is an urgent need to act, in order to protect the rights and freedoms of data subjects.
 
As acknowledged by the Advocate General BOBEK, the two mechanisms of Articles 61 and 66 of the GDPR on the one hand, and Articles 64 and 65 of the GDPR on the other hand, ''“are somewhat cumbersome. Their actual functioning is not always crystal clear. Therefore, if on paper the abovementioned provisions seem to avoid those problems, only the future application of those provisions will tell whether, in practice, those provisions may turn out to be ‘paper tigers’”''. <ref>Opinion of the Advocate General Bobek on Case C-645/19, margin number 112 (available [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62019CC0645 here]).</ref>
 
Notwithstanding the above, we can surely expect to see interesting developments in the application of this provision, having seen the inaction (or at least the very slow action) of some LSAs in charge of supervising big actors. The procedure under Article 66 allows to protect the interests of the individuals and to force these SAs to act.


=== (4) Procedure ===
=== (4) Procedure ===
As a derogation to the “regular” procedure to be followed to adopt opinion and decisions under Article 64 (3) and 65 (2) GDPR, the deadline for the EDPB to adopt the decision or opinion shall be reduced to two weeks, and a simple majority will be needed (instead of a 2/3 majority in the cases of Article 65(2) GDPR).
As a derogation to the “regular” procedure to be followed to adopt opinion and decisions under Article 64(3) and 65(2) GDPR, the deadline for the EDPB to adopt the decision or opinion shall be reduced to two weeks, and a simple majority will be needed (instead of a 2/3 majority in the cases of Article 65(2) GDPR). It remains to be seen how the EDPB will be able to deal with multiple cases, should the SA decide to use the possibility offered to them under Article 66.
 
It remains to be seen how the EDPB will be able to deal with multiple cases, should the SA decide to use the possibility offered to them under Article 66.  


== Decisions ==
== Decisions ==

Revision as of 18:59, 15 March 2022

Article 66 - Urgency procedure
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 66 - Urgency procedure

1. In exceptional circumstances, where a supervisory authority concerned considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism referred to in Articles 63, 64 and 65 or the procedure referred to in Article 60, immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months. The supervisory authority shall, without delay, communicate those measures and the reasons for adopting them to the other supervisory authorities concerned, to the Board and to the Commission.

2. Where a supervisory authority has taken a measure pursuant to paragraph 1 and considers that final measures need urgently be adopted, it may request an urgent opinion or an urgent binding decision from the Board, giving reasons for requesting such opinion or decision.

3. Any supervisory authority may request an urgent opinion or an urgent binding decision, as the case may be, from the Board where a competent supervisory authority has not taken an appropriate measure in a situation where there is an urgent need to act, in order to protect the rights and freedoms of data subjects, giving reasons for requesting such opinion or decision, including for the urgent need to act.

4. By derogation from Article 64(3) and Article 65(2), an urgent opinion or an urgent binding decision referred to in paragraphs 2 and 3 of this Article shall be adopted within two weeks by simple majority of the members of the Board.

Relevant Recitals

Recital 137: Provisional Measures
There may be an urgent need to act in order to protect the rights and freedoms of data subjects, in particular when the danger exists that the enforcement of a right of a data subject could be considerably impeded. A supervisory authority should therefore be able to adopt duly justified provisional measures on its territory with a specified period of validity which should not exceed three months.

Recital 138: Urgency Procedure
The application of such mechanism should be a condition for the lawfulness of a measure intended to produce legal effects by a supervisory authority in those cases where its application is mandatory. In other cases of cross-border relevance, the cooperation mechanism between the lead supervisory authority and supervisory authorities concerned should be applied and mutual assistance and joint operations might be carried out between the supervisory authorities concerned on a bilateral or multilateral basis without triggering the consistency mechanism.

Commentary

Article 66 GDPR provides for an exception to the cooperation mechanism. Under certain conditions, mostly related to reasons of urgency and the need to protect the rights of the data subject, the SA is given the possibility to adopt provisional measures valid on its territory. The same article also provides some specific rules for the intervention of the EDPB and the timing of its decision.

(1) Adoption of Provisional Measures

In exceptional circumstances, where a supervisory authority concerned (Article 4(22) GDPR) considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects, it may, by way of derogation from the consistency mechanism (Articles 60, 63, 64 and 65 GDPR) immediately adopt provisional measures intended to produce legal effects on its own territory. Article 66 creates strict conditions for cross-border cases when a DPA wishes to act on its own without consulting the other DPAs concerned. Three conditions must be fulfilled in this regard, namely (1) exceptional circumstances, (2) an urgent need to act and (3) the need for protection of the rights and freedoms of data subjects.[1] The latter is fulfilled if a concrete and immediate damage or disadvantage is to be expected.[2] In such cases, a supervisory authority ('SA')[3] can adopt a measure which is limited to its territory and the duration of which cannot be longer than 3 months.[4] This decision must be motivated and communicated to the Commission and the EDPB and to the “other SAs concerned”.[5]

Presumption of Urgency

The GDPR foresees two cases where the urgency requirement is presumed, namely when an SA does not answer within one month to a request for mutual assistance (Article 61(8) GDPR) or to a request of joint operations (Article 62(7) GDPR). [6] On 12 July 2021, the EDPB adopted an urgent binding decision under Article 66 GDPR, at the request of the Hamburg SA which adopted provisional measures under Article 66(1) GDPR, based on its consideration that the circumstances were exceptional and there was an urgent need to act to protect the rights and freedoms of data subjects.[7] The Hamburg SA considered that the urgency requirement was presumed, as specifically stated by Article 61(8) GDPR. However, the Hamburg SA had made some specific requests through the IMI system by using, in particular, the VMA channel (Voluntary Mutual Assistance). According to the interpretation provided by the EDPB, "Unlike formal Article 61 GDPR requests, the SA receiving a VMA request does not have a legal obligation to answer to that request".[8] Therefore, the EDPB considered that the urgency was not established considering that the Hamburg SA "did not formally launch an Article 61 GDPR request in the IMI system to the LSA, but merely sent a letter replying to the VMA request flow initiated by the IE SA". Furthermore, the urgency needed to be demonstrated under Article 66(2) GDPR, which could not be done in the present case.[9]

(2) Adoption of a Final Decision after Provisional Measures

When the SA that has adopted the provisional measure under Article 66(1) GDPR considers that a final decision should be adopted, it should refer the matter to the EDPB, which shall adopt an urgent opinion or urgent decision. The reasons for asking such a final decision should obviously be substantiated by the requesting SA.[10] In the cases foreseen by Articles 61(8) and 62(7) GDPR, the reference to the EDPB is mandatory.[11]

(3) Adoption of a Final Decision of the EDPB Without Provisional Measures

The authority addressed under Article 66(1)-(2) is the "supervisory authority concerned" within the meaning of Article 4(22) GDPR. In contrast, Article 66(3) refers to "any supervisory authority" (Article 4(21) GDPR) and allow it to request an urgent opinion or an urgent binding decision, as the case may be, from the Board where a competent supervisory authority has not taken an appropriate measure in a situation where there is an urgent need to act, in order to protect the rights and freedoms of data subjects.

(4) Procedure

As a derogation to the “regular” procedure to be followed to adopt opinion and decisions under Article 64(3) and 65(2) GDPR, the deadline for the EDPB to adopt the decision or opinion shall be reduced to two weeks, and a simple majority will be needed (instead of a 2/3 majority in the cases of Article 65(2) GDPR). It remains to be seen how the EDPB will be able to deal with multiple cases, should the SA decide to use the possibility offered to them under Article 66.

Decisions

→ You can find all related decisions in Category:Article 66 GDPR

References

  1. CJEU, C-645/19, 15 June 2021, Facebook Ireland, margin number 59 (available here).
  2. Georgieva in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 1030 (Oxford University Press 2020).
  3. Such a SA can of course be a concerned SA (SA), but also the lead supervisory authority (LSA), if the latest considers that the measure should be adopted urgently without going through the cooperation mechanism.
  4. See e.g., Garante, 22 January 2021, TikTok, Case 9524194 (available here).
  5. Georgieva correctly points out that "[h]owever, the urgent measure can only be addressed when its addressee has either an establishment or a representative in the territory of the DPA concerned. This means that the provision does not apply if the DPA is 'concerned' by the processing of personal data under Article 4(22)(6) or (c) (i.e. when data subjects are substantially affected or a complaint has been lodged with that DPA) but there is no one on its territory against whom the measures can be addressed". See, Georgieva in Kuner et al, The EU General Data Protection Regulation (GDPR): A Commentary, p. 1030 (Oxford University Press 2020).
  6. Situations in which the urgency of the measures is presumed may cover, for example, cases where an SAC is potentially faced with persistent inertia from the LSA in charge. Opinion of the Advocate General Bobek on Case C-645/19, margin number 135 (available here).
  7. EDPB, 12 July 2021, Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from the Hamburg (German) Supervisory Authority for ordering the adoption of final measures regarding Facebook Ireland Limited (available here).
  8. EDPB, 12 July 2021, Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from the Hamburg (German) Supervisory Authority for ordering the adoption of final measures regarding Facebook Ireland Limited, margin number 177 (available here).
  9. EDPB, 12 July 2021, Urgent Binding Decision 01/2021 on the request under Article 66(2) GDPR from the Hamburg (German) Supervisory Authority for ordering the adoption of final measures regarding Facebook Ireland Limited, margin numbers 180, 181, 196 (available here).
  10. It is not clear what kind of urgent opinion the SA could ask the EDPB to adopt: while one can understand that a decision implying a coercive measure can be adopted by a SA, it is not clear what kind of urgent opinion the EDPB could adopt, having a look in particular to the list of opinions under Article 64 GDPR.
  11. See paragraph "Presumption of Urgency" above under Article 66(1) GDPR.